Protected resource being access without access_token in Spring-Security-Oauth2

336 views Asked by At

In my application I have implemented spring-security-oauth2. And evrything is working fine except in one case.

The scenarion is, I login to system ,I get oauth2 access_token. I request my protected resource by providing that token ,I get the results. Again I do the same request without any header(without access_token) and this time also I get the protected resource.

My protected resource related Code:

<http pattern="/**" create-session="never"
          entry-point-ref="oauthAuthenticationEntryPoint"       
          xmlns="http://www.springframework.org/schema/security">
        <anonymous enabled="true" />
        <intercept-url pattern="/users" access="IS_AUTHENTICATED_ANONYMOUSLY"/>

        <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
        <custom-filter ref="customFilter" position="FORM_LOGIN_FILTER"/>
        <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
        <access-denied-handler ref="oauthAccessDeniedHandler" />
    </http>

Also I have used custm filter. And I print client_id in my filter using authentication object like this-

 Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
   System.out.println("----------->>>" + ((OAuth2Authentication) authentication).getAuthorizationRequest().getClientId());

With access_token i get the client_id-"test1" and After first request if I do the same request without access_token I again get the same client_id="test1"

And resource is also accessed.

I tried hard but didn't got any loop hole in the code. Any help will be appreciated.

1

There are 1 answers

0
Rubén Souto Pérez On

This worked for me:

Change create-session = "never" to create-session = "stateless"

Hope this helps.